W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 19 Jan 2011 15:40:44 -0800
Message-ID: <AANLkTi=VHugpaRYtOqNh6W-23uH2gWKyq5ECg9sWhUmv@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org, Sid Stamm <sid@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
> The current text just uses the final URL.  Is there some reason every
> hop is important?  Using the final URL is analogous to how <iframe>
> works, for example.

Yeah, I meant to say it should not settling for checking the initial
URL only (this is a mistake repeated so many times with
XMLHttpRequest, etc, that it's becoming very sad). Last URL is
obviously fine.

> The attacker can always just avoid doing anything that triggers a
> SecurityViolation (because triggering SecurityViolations is useless
> from the attacker's point of view).  The monitoring aspect is mostly
> useful for the non-malicious case: to make sure you're not screwing up
> your policy somehow.

OK, fair point.

/mz
Received on Wednesday, 19 January 2011 23:41:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 19 January 2011 23:41:37 GMT